Single Sign On SAML 2.0 Service provider?

[Dan Capri]

Hey guys,

We have been using dropwizard to build our services for some time and love it.  However, we recently partnered with a company that requires SAML 2.0 authentication.   I havent found much related to dropwizard using SAML for authentication so I thought Id ask if anyone has experience.    We are limited to STS and Browser POST profile styles of SSO interactions.

Im doing my due diligence and getting up to speed on the facets of SAML SSO  and discovering java options for this, but I was hoping someone might have a dropwizard specific example I could examine.

Thanks in advance.

DCapri

[Coda Hale]

I'd be surprised if there's anything Dropwizard-specific, but the Shibboleth ecosystem[1] is in Java and open source.

Dropwizard can run arbitrary servlets, so you should be fine.

[1] http://shibboleth.net/

---
Coda Hale
http://codahale.com

--
You received this message because you are subscribed to the Google Groups "dropwizard-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dropwizard-us...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[David Morgantini]

We are using dropwizard and SAML 2.0 but we have decided to roll our own implementation with OpenSaml (part of Shibboleth).  Not sure I would recommend this practice as SAML is a beast and OpenSaml is but a thin wrapper which I would say is very easy to fuck up. Assuming that you do go this path, we used an AuthProvider similar to the dropwizard provided ones and then manually generate AuthnRequests. Unfortunately, you also have the fun of dealing with Metadata and other awesome SAML concepts (remember this is an XML framework that calls SOAP lightweight).  Bottom line is that any work you consider doing with OpenSaml will take you far longer than you would think it should.  All of our estimates when it came to dealing with SAML stuff were always off.

I personally would love to open-source the work we've done with this, but due to 'security' considerations we are not allowed to.  If this changes I'll be sure to share the work we've done as it will save you hours of pain and effort.

If on the other hand you find something that is useful to you, please let me know as we will have many service providers that are going to need to implement services to interact with the system we are building.

Cheers,

David

[Dan Capri]

Just wanted to say thanks guys.     I have stood up a Shebboleth Identity Provider service and Im in the process of building out a dropwizard service equipped with guice and shiro to work against it.    Things seem to be going well so far.  If and when I get it running, Ill post a generic github project of the solution.

DCapri

[David Morgantini]

Does shiro do SAML out of the box?

[Cameron Stokes]

Dan, just a little encouragement... I'm very interested in seeing you're generic solution when you're able to post it. :)

[Sam Pullara]

Hi Dan,

Were you able to get this working?

Thanks,

Sam

[Ted M. Young]

Has anyone done anything more with SAML-based SSO? I'm looking at using OIOSAML[1] or going the Spring Security-SAML[2] route. Haven't looked at Shiro[3] yet. Since this is a "nice to have" feature for me, I'm not planning on sinking much time into it, so any recent reports of success/failure/difficulties would be appreciated.

;ted

[1] https://svn.softwareborsen.dk/oiosaml.java/sp/trunk/docs/intro.html

[2] http://projects.spring.io/spring-security-saml/

[3] http://shiro.apache.org/

[David Morgantini]

Hi Ted,

1) Saml sucks.

2) Saml really sucks.  OpenIdConnect[1] was just released as an open standard, consider it as an alternative.

3) Saml REALLY sucks.  Sorry if you have to use it.

That said, you can (and I HIGHLY recommend against this) hand crank a SAML implementation via OpenSaml[2].  We've done this is some of our stub code and it works reasonably well.  The thing is that it's really hard to do right and you are more likely to screw it up and leave security holes than anything else.  Alternatively, what we are trying to get our Relying Parties to do is use Shibboleth SP[3].  It's an apache plugin so unfortunately you'd then have to front your app with Apache.  If your federation is following the WebSSO profile[4] then Shibboleth will work reasonably well for you.

[1] http://openid.net/2014/02/26/the-openid-foundation-launches-the-openid-connect-standard/

[2] https://wiki.shibboleth.net/confluence/display/OpenSAML/Home

[3] http://shibboleth.net/products/service-provider.html

[4] http://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile

Cheers,

David 'bearer of many SAML scars' Morgantini

[Ted M. Young [@jitterted]]

Hi David,

Thanks for the info. This is an internal application, and I was just hoping to save people from having to login to YAIP (yet another internal app), but it sounds like it'd be more trouble than it's worth.

Given the fact that security isn't a huge factor (so much so that I wouldn't even require people to log in other than the app needs a user account), what's the downside to hand-cranking a SAML implementation other than security holes?

;ted

--

[David Morgantini]

Hi Ted,

Sounds like you don't actually need identity at all and using OAuth or a shared domain cookie might be much easier.  SAML is useful in creating/joining an identity federation (multiple Identity Providers & multiple Service Providers) it's big, bloated and a downright pain in the ass to set up.  Yes, your biggest risk is security, but the simple cost of implementing the framework is, in my opinion, prohibitive unless you are connecting to an existing federation.  Since you're not, then you should consider an alternative technology.  I'm currently investigating whether we can migrate our service providers off of SAML and onto OpenIdConnect as it is apparently a simpler solution.

Cheers,

David

--
You received this message because you are subscribed to a topic in the Google Groups "dropwizard-user" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/dropwizard-user/HhopXkmBvRo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dropwizard-us...@googlegroups.com.

[Ted M. Young [@jitterted]]

Hi David,

Yeah, OAuth might end up being a better solution, but I need to look into it more to see how to support SSO (came across this[1] which has a decent comparison of both).

We already have ADFS (Microsoft's federated identity service that supports SAML), but I'm now wondering whether even using that costs me more than it's worth.

Thanks for the info, it's been really helpful!

[1] http://www.mutuallyhuman.com/blog/2013/05/09/choosing-an-sso-strategy-saml-vs-oauth2/

;ted